Snort on OpenWrt: Guarding the SOHO perimeter

If you're edgy about security for your SOHO LAN, you might want to consider moving your first line of defense out past your firewall. How about on your router, for example? If your router runs OpenWrt, you can do exactly that, by running Snort, the open source intrusion detection system (IDS) project that has become the most widely deployed IDS in the world. Throw in the firewall that comes out of the box with OpenWrt White Russian, and suddenly the perimeter seems a lot more secure.

Nicholas Thill -- known as Nico in the OpenWrt community -- maintains three separate packages for Snort in his repository of packages. They include a plain Jane version, without any support for logging to a database, and two database-specific packages: one for MySQL and one for PostgreSQL. All are based on the Snort release 2.3.3-1 and are considered to be in a testing state and not yet included in the official release.

For the sake of simplicity, I'll discuss the plain Jane installation in this article. Regardless of which version you select, you need to be aware of the fact that you can overload and/or potentially crash your OpenWrt router by running Snort wide-open with all its rule sets and preprocessors (rule sets look for specific signatures, while preprocessors are plugin modules that extend Snort's capabilities), or simply by logging Snort's output to the local system and filling up all available space.

OpenWrt is a wonderful distribution, but it often runs on systems with serious memory and/or storage constraints, which you can easily overload by running Snort with all the trimmings.

Syslog remotely

Snort reports its findings in log records, so running Snort without saving them for later analysis is like typing a book without putting paper in the typewriter: you go through a lot of motions but don't get much of a return for your efforts. Given the typical router's constraints both in processing power and storage space, it makes sense to log Snort's findings remotely.

In order to start syslog logging remotely, you'll need to make changes to your configuration both on the router and on the system where the logging will be done. It's a snap to set up remote logging on OpenWrt, as explained in this Mini-HOWTO on the OpenWrt wiki.

From the OpenWrt command line, enter the following:

nvram set log_ipaddr=<192.168.1.101>
nvram commit

Change the IP address to match the address of the system running syslogd. Then edit /etc/initab and add these two lines:

::respawn:/sbin/syslogd -n
::respawn:/sbin/klogd -n

And finally, edit /etc/init.d/rcS to add:

mkdir /var/log

To handle the logging on the remote side of the connection, add the -r option to the command line that starts syslogd and you're good to go. If you're using Ubuntu, for example, edit /etc/init.d/sysklogd and change the line that reads:

SYSLOGD="-u syslog"

to read:

SYSLOGD="-r -u syslog"

Of course, if you're like me and think that syslogd is so last generation, you can install syslog-ng instead, which accepts remote logging by default.

Installing and Configuring Snort

The easiest way to install the version of Snort is with the OpenWrt Admin Console. But before you do that, check /etc/ikpg.conf on the router and make sure the repository mentioned above is included as a source. If it's not, add this line to the file:

src nico-t http://nthill.free.fr/openwrt/ipkg/testing

Then click on System and Installed Software in the OpenWrt Admin Console and refresh the list of available packages by clicking on Update package lists. All that's left to do then is scroll down the list of packages, find the version of Snort you want, and click on Install next to it.

Before you configure Snort, you'll need to get some rules from the Snort site. Snort rules define the packets that Snort should identify and take action on, and the actions that should be taken.

Rather than downloading only the rules included in the default OpenWrt snort.conf file, I downloaded a full set and put them in /etc/snort/rules. That way, I don't have to get new rule sets each time I tweak snort.conf.

You'll need to define the HOME_NET variable near the top of /etc/snort/snort.conf, and also define an output method near the bottom. Once you've done those two things, Snort should be ready to run, except for whatever tweaking you need to do for preprocessors and rules.

The pre-configured version of snort.conf, for example, comes with almost all the preprocessors commented out. To activate them, simply remove the # signs from the beginning of each line of the section for the preprocessor you want. The same thing is true for the rules. Note: Remember to keep an eye on memory usage as you activate preprocessors and rule sets.

My HOME_NET in snort.conf already looked like this, so I kept it:

var HOME_NET 192.168.1.0/24

For the output option, I removed the # from this line:

# output alert_syslog: LOG_AUTH LOG_ALERT

Those two changes made, I started snort running by entering snort -i vlan1 & and it blasted off, producing the following on my OpenWrt console:

Right out of the box, and with only minimal rules in place, Snort was eating 25% of system memory. I added rules and preprocessors, primarily for the detection of scans, but I've tried to avoid taking more than 50% of memory or to have less than 1000K free memory. So far, so good, and with no impact on performance of the router. But remember, you can overload the router if you're not careful, so keep a watchful eye on available resources as you tweak the config.

After I enabled the scan detection preprocessors and added a couple of additional rule sets, Snort's memory consumption climbed to 49.3% and the amount of free memory had shrunk to just over 5000K. I decided to stop there.

You might consider installing the plain Jane version first, then moving to one of the database-specific versions if you like. But if you do, remember that changing versions requires more than simply changing your snort.conf to indicate the database: you have to remove the plain Jane version of Snort and then install the database version. That process will replace your snort.conf, so if you want to keep your old one, make a copy before you install the new version of Snort.

For further information about Snort on OpenWrt, see this report by David Schwartzburg.